It just seems a little hard to believe that with all of our technological advances and the billions of dollars spent on engineering the most unbelievable and mind-blowing software, we still have no other means of protecting against piracy than a "serial number/activation key". I'm sure a ton of money, maybe even billions, went into creating Windows 7 or Office and even Snow Leopard, yet I can get it for free in less than 20 minutes. Same for all of Adobe's products, which are probably the easiest.

Can there exist a fool-proof and hack-proof method of protecting your software against piracy? If not realistically, how about theoretically possible? Or no matter what mechanisms these companies deploy, can hackers always find a way around it?

We're looking for long answers that provide some explanation and context. Don't just give a one-line answer; explain why your answer is right, ideally with citations. Answers that don't include explanations may be removed.

5

Actually, some corporations try much more sophisticated anti-piracy methods (e.g. requiring connection to internet, checking that one copy only runs on one hardware, DNA locks, etc.). But they still get cracked.
–
delnanFeb 10 '11 at 22:05

70

There is an easy solution: provide mindblowingly high quality support for legitimate users. Even more, don't treat non-paying users as criminals, but as your potential market. Of course this costs money but the savings in legal costs and fees paid to copy protection kludge factories would soften the blow.
–
biziclopFeb 10 '11 at 23:20

21

There is no good technological solution to a behavioral problem.
–
JobFeb 10 '11 at 23:22

13

Tenacity - give a man a fish, he'll eat a fish; tell him he can't have fish, expect a fight.
–
OrblingFeb 11 '11 at 1:14

7

@Job: ... No. There is a growing body of evidence that suggests that "piracy" (a very bad term for infringement) has a major economic benefit for the content creators, and in so doing benefits the commons. Your comparison would be far more accurate when discussing the "benefits" of DRM.
–
greyfadeFeb 12 '11 at 23:32

17 Answers
17

Code is data. When the code is runnable, a copy of that data is un-protected code. Unprotected code can be copied.

Peppering the code with anti-piracy checks makes it slightly harder, but hackers will just
use a debugger and remove them. Inserting no-ops instead of calls to "check_license" is pretty easy.

Hard-to-hack programs do progressively more annoying things.

But vendors have to sell customers software they are prepared to use.

Not everyone allows computers to phone home.

Some people working on sensitive stuff refuse to connect machines to the internet.

Programs I sell at my current employer (aerospace tools) don't phone home ever. The customers wouldn't tolerate phoning home for "activation" every time the program starts.

Worst case, the program runs in a VM with no networking, where it's always a fixed date.

So it might have been legitimately installed once, but no efforts on the part of the developers can have it tell that it's not how it was.

Attempts to add hardware "copy prevention" to general purpose computers are doomed to
failure.

Whatever company sells hardware without copy prevention ends up selling all the hardware.

Vendors like Dell and Intel progressively try to introduce spy-hardware like Palladium, but they are strongly resisted.

When the computer is doing something scientific, real-time, any interruptions to "check for pirated content" will cause failures. If all computers had hardware DRM, the special scientific/realtime ones would have to not have it. Accidentally everyone would buy special scientific/realtime ones.

Hardware DRM checks will have false positives on some kinds of content.

Simplest case: resolution. I record Quad HD video from my camera array (sitting on my desk right now). Windows DRM gets between me and the data because it's QuadHD.

Signature analysis: The Hardware DRM is small and has a relatively fixed data set. It also has to use the same data bus as the CPU so it slows things down intermittently. This ruins anything realtime.

So then to make the Hardware DRM smarter during a false positive your computer will eventually get interrupted to go and check using a web service. Now my science data processor either fails because it isn't networked, or stops streaming data.

In regards to your first bullet point, what if your computer wasnt the one to run the code? Maybe a host computer somewhere? Sure now that seems impossible, but would that theoretically be a solution? (is this what cloud computing is?)
–
maqFeb 10 '11 at 22:59

2

@mohabitar: Cloud computing certainly limits piracy, since no source code is available for copying (except if there's a network security breach). However, (a) many tasks are completely unsuitable for the cloud and (b) even more tasks are done better on the desktop (so desktop apps win over their cloud counterparts).
–
dbkkFeb 11 '11 at 2:09

1

@Ben Voight I've tried to expand my description of the failure modes this introduces. Example: Lets say I'm streaming data from a science instrument to my hard drive. There is hardware DRM in my hard drive controller. I'm streaming the data at the maximum write rate, and the DRM circuit detects what it thinks is a DRM signature in the science data stream. Now it stops me. Either to get verification online, or just stops me. Ow Ow Ow. Or even worse calls the MPAA to come sue me for streaming what looks like a movie in the perception of their $5 anti-piracy chip.
–
Tim WilliscroftJan 23 '12 at 22:23

Ultimately the big problem is that most software involves handing both the lock and the key to the potential attacker and hoping they don't figure out how to put them together.

The only secure method of protecting software is not giving it to the user (e.g. SaaS). You'll notice you can't "pirate" Google Docs, for example. Ultimately, if you're trying to secure something, you have to assume they have full knowledge of anything you give them. You can't trust the client. This applies to preventing piracy just as much as it does to protecting a system against being compromised.

Since the existing software distribution models are based around giving the client the whole package and then attempting to protect it on hardware the potential attacker controls, the distribution model is incompatible with any concept of "unpirateable" software.

IMHO a fundamental problem is that most or all of the "foolproof and hack proof" methods* of protecting software against piracy also annoy or even drive away the innocent and legal users.

E.g. checking that the app is installed only on a single machine may make it difficult for a user to change hardware in their machine. Hardware dongles may mean you can't use the same app on your work and home machines. Not to mention DVD area codes, CSS, the Sony rootkit et al., which are not strictly for software protection, but closely related.

*which, as @FrustratedWithFormsDesigner noted, are never perfect in practice; there is no 100% safety, you can only try to make it costly enough for an intruder to break the defense so that there won't be "too many" of them. And I believe it is due to the fundamental nature of software and digital information, that once someone manages to break a particular defense, the break can almost always be trivially replicated by millions.

As Bruce Schneier said, trying to make digital files uncopyable is like trying to make water not wet. He talks primarily about "DRM", which is applied more to content (e.g., movies) than code, but from the viewpoint of preventing copying what's in the file makes little real difference -- copying a file is copying a file is copying a file.

When deciding about anti-piracy measures, companies do a cost-benefit analysis. For any given set of measures, if the benefits don't outweigh the costs, the company doesn't do it.

Costs include time and effort to implement, document, support and maintain the measures, and perhaps sales losses if they're really annoying. Generally speaking, there are two kinds of benefits:

Larger profits because people who would have pirated the program bought it instead..

The people who make decisions are happy the program isn't getting pirated.

Here's a simple example: Microsoft Office.

Now, MS is all about the money, and not so much about making execs happy about piracy. For some time, MS has been selling a "Home and Student" edition of Office for way cheaper than the "normal" edition for business. I bought this a few years ago, and it had no copy protection at all! And the "anti-piracy" technology consisted of entering a product key which was then stored in the application folder. But you could run it on as many computers as you wanted simultaneously, and they'd all run fine! In fact, on the Mac, you could drag the application folder across the network to another computer where you'd never done an installation, and because the product key was stored with the application, it ran great.

Why such pathetic anti-piracy technology? Two reasons.

The first is because the added cost of tech support for home users screwing up their installations was just not worth it.

The second is the non-technical anti-piracy measures. MS has a whistleblower program where if you know a company has pirated MS software - like installing 200 copies of the same "Home and Student" Office - you can give them a call. Then MS comes in and audits the company, and if it finds pirated software, sues the crap out of them - and you get a big cut of the winnings.

So MS doesn't have to use technology to prevent piracy. They find it more profitable to just use cold, hard cash.

There is only one "fool proof and hack proof method of protecting your software against piracy":

Free Software (As in you can do what ever you want with it, even sell it.)

You can not steal what is freely given. Granted, that'll muck up some dinosaur companies software models, but piracy is going nowhere. Sell something you can't copy, preferably something that accompanies what you gave away free; your help for instance.

Riiiight ... "dinosaur companies". And then pretend to add value by inflated "service contracts"? No thanks, I prefer paying for quality engineering rather than fluff service contracts. While I love and we even sponsor free software, your answer lost credibility via the "dinosaur" comment.
–
DeepSpace101Mar 15 '14 at 16:08

1

How is this the only way? What about software running on the owner's server? Also if we accept that Free Software is the answer to piracy what do we do about people who take the free software modify it and then violate the agreement by not making the changes available to others. Isn't this the piracy of free software?
–
StilgarMar 16 '14 at 8:33

5

This is incorrect; it's very easy to pirate most free software - use it in ways incompatible with the license. Matthew Garrett, for example, has a long and fabulous history of helping companies get into compliance with their GPL obligations for busybox.
–
RAOFMar 16 '14 at 22:10

At a fundamental level, a lot of what a computer does works by copying data around. For example, in order to execute a program, the computer has to copy it from the hard drive into memory. But once something has been copied into memory, it can be written from memory onto another location. Bearing in mind that the fundamental premise of "piracy protection" is to make software that cannot be successfully copied, you can begin to see the magnitude of the problem.

Second, the solution to this difficult problem acts directly against the interests of both legitimate users and those who wish to use the software without acquiring it legally. Some of those users will have the technical knowledge needed to analyze compiled code. Now you have a competent adversary actively working against you.

Because this is a difficult problem, and because producing correct software is also inherently difficult, it's very likely that your solution will contain at least one exploitable bug somewhere. For most software, that doesn't matter, but most software isn't under active attack by a determined adversary. The nature of software being what it is, once one exploitable bug is found, it can be used to take control of the entire system and disable it. So in order to produce reliable protection, your solution to the very difficult problem must be perfect or it will be cracked.

The fourth factor is the worldwide Internet. It makes the problem of transmitting information to anyone who's interested trivial. This means that once your imperfect system is cracked once, it's cracked everywhere.

The combination of these four factors means that no imperfect copy-protection system can possibly be safe. (And when's the last time you saw a perfect piece of software?) In light of this, the question shouldn't be "why is software still easily pirated?", but "why are people still trying to prevent it?"

@mohabitar: Yes, that's exactly what I think, because it does not, and can not, ever work. No DRM system I'm aware of has lasted more than 1 month after being exposed to the Internet before being cracked wide open. Microsoft spends more money on R&D every single day than you'll see in your entire life, and they can't get it right. Heck, Windows 7 was cracked before it was even released! So what makes any smaller developer think they have any chance whatsoever of success?
–
Mason WheelerFeb 10 '11 at 22:53

2

One thing small developers have "on their side" is that fewer pirates are likely to care. If no-one wants your software, no-one will pirate it, or develop a crack for others. Not really a nice thought, but with a practical aspect if you're targeting a niche market.
–
Steve314Feb 10 '11 at 23:05

3

@Steve314: Maybe, but if there are no pirates after you anyway, then it's even more of a waste. Instead of trying to solve a problem that exists but can't be solved well, you're devoting resources to solving a problem that doesn't exist.
–
Mason WheelerFeb 10 '11 at 23:20

1

@Steve314: Heck, if you're cynical enough about it, the case could be made that it's actively in your best interest, in this particular circumstance, to not put in any copy protection. If they do pirate it and you take them to court over it, you can make a lot more in damages than you would have in sales, so why not make it as easy for them as possible? ;)
–
Mason WheelerFeb 11 '11 at 0:37

One often overlooked, major motivation behind Cloud based SaaS solutions is securing revenue streams.

I think this is where the future of IP monetization and protection really is.

By shifting focus from selling on-premise solutions that are to be run in an environment that is outside the control of Vendors, eventually every strategy against software piracy is doomed to fail. There is just no way to protect your assets when you give them out to someone else, since the protection needs to be enforced on his machine.

By having your Software hosted in the Cloud and provided as a service, you are effectively raising the bar for piracy to a level where its monkey business.

No, it doesn't work. See, there's a thing called espionage, that exists since the dawn of time. Also, an ex employee, or someone who is just not happy could leak it. Or it could leak accidentally. There are millions of scenarios where it doesn't work, and many are likely.
–
IsmaelJan 24 '12 at 8:17

I think the answer you are searching for is that many companies don't really care about piracy that way anymore. Nobody wants their stuff getting out for free, but when you look at the trade off between annoying and having to support all the folks where the advanced copy protection broke or broke their computers. A few companies have gone far out of their way to care, but at the end of the day the stuff is still cracked and their users tend to leave with a bad taste in their mouths.

It isn't worth the pain (or the potential loss of customers) to try and implement it for the few people you would prevent from hacking in anyway.

Some companies have even viewed the pirate users as a resource. Valve made a splash in the news with a comment like that a while back, and you cannot tell me that Microsoft didn't come out on the winning side of all the pirated Windows installs in Asia over the years.

For the microsofts out there, they look to sell large blocks of licenses for the little guys they need every sale but cannot afford to loose customers or in some cases even afford the rootkits and other vile crap people use to try and build that sort of lock-in.

You can't make a perfect anti-piracy, but there are not a lot of people who are highly motivated to try anymore.

Whatever you build into your software, it has to be understandable by the machine that will run it. As software has got more sophisticated, the software to understand other software has also got more sophisticated. So if that software is understandable by the machine, it is understandable (and modifiable) by the pirate.

For example, in principle, you could build strong encryption into your executable, so that most of the software is unreadable. The problem then is that end-users machines can no more read that code than the pirates. To solve that, your software must include both the decryption algorithm and the key - both either in the clear, or at least hiding behind weaker encryption (with the decryption for that being in the clear).

IIRC, the best disassemblers can warn you about encrypted code and help you capture and analyse what's hiding behind the encryption. If that seems like the disassembler writers are evil, consider that security developers need this every day, to investigate viruses and other malware that also hides in encrypted code.

There's probably only two solutions to this. One is the closed platform that locks its own users out. As the Playstation 3 shows, that's not necessarily a guarantee. In any case, there's a large class of non-evil users who won't like it.

The other is for your software to run on servers that are under your control.

One reason I guess is, the very same people that know how to write decent security, are probably hackers themselves.

Also, trying to protect yourself against piracy is really, really difficult. Since your computer has to execute this protection itself, it can be intercepted at any given point (memory/execution/network traffic/...). That's where obfuscation comes in, trying to make it impossible to understand what's going on.

I believe the power in serial numbers and activation keys lies in the fact that you can at least see who is pirating, and try to track it/block it this way. I believe that's part of the reason why so many services are online services nowadays. (Steam, Windows update etc...) It suddenly becomes a lot more difficult to crack, ... but again still possible.

Where you have a succesful product, you have more people trying to crack it, so chances it will get pirated are bigger.

Technically speaking, software can still be pirated because most of the IT still operates on software and hardware environments conceptually engineered millenia ago, when even the notion of software piracy didn't exist.

Those foundations have to be maintained for backwards compatibility further increasing our dependency on them.

If we were to redesign hardware/software environments from scratch with the anti-piracy in mind, we could add significant improvements.

See for yourself:

The same open operating system with all its components entirely exposed and literally offering itself for manipulation

The same open computer architecture which will take any software you throw at it

Software distribution model is still based on unencrypted files which are handed over to the user

The exactly same problem exists with the Internet and its low security, many vulnerabilities, openness for manipulation, spam and distributed attacks. We would do it much better the second time, if we could redo the Internet. Unfortunately we have to stick with what we have to maintain compatibility will the mass of applications and services in existence.

For now it seems that the best way to protect software from piracy is to introduce changes at the hardware level:

Close down the hardware and turn it into a black box. Make it impossible for a user to mess with the hardware and its software. The approach here is to probably encrypt everything at the chip level so that their external interfaces are fully encrypted. A good example of that is the HDCP encryption for the media interface HDMI - a media stream is encrypted before it leaves the player box and decrypted inside of a display unit so that there is no open data stream to intercept.

Close down distribution channels. Make all external media and online channels fully encrypted so that only certified hardware is able to decrypt the datastream.

It is possible to pull off both but it will turn the entire ecosystem into a prison. Most probably a parallel/underground movement of a free hardware/software will arise creating a parallel ecosystem.

Encryption solves nothing, as it has to be encrypted eventually to be run. Computers that are locked down "black boxes" are not general purpose computers. Game consoles and iPad spring to mind. The history of jail-breaking that sort of gear into general purpose machines is pretty amusing.
–
Tim WilliscroftFeb 10 '11 at 22:53

2

This is what Microsoft clame. This will stop most legitemate users, installing Free Software. And MAKE them use Microsofts stuff. (no firefox, no chrome, no apache, no internet)
–
richardMar 29 '11 at 10:50

Given the effort, almost-perfect copy-protection could probably be achieved… but it wouldn’t be worth the cost. Several notable blogs have discussed itexcellently: specifically, the concept of an optimal piracy rate.

Anti-piracy measures have several costs: the direct cost of implementing them, but also indirect costs: eg the measures often cause inconvenience, driving away users.

Piracy has costs, but they’re often not terribly high. It may also even have some benefits, e.g. in expanding user base. As one commenter wrote on the Coding Horror post: “Now that I'm a developer and I actually have money to spend of software, I tend to buy the programs that I pirated in my college days because I'm already familiar with them.”

So, some anti-piracy protection is important to make sure legitimate sales aren’t undercut too badly; but beyond a certain point, there’s just no economic incentive to make the anti-piracy measures better.

In a world where computers are similar enough to be able to download software from the net and immediately run it, it is very hard to identify something that allows determination of whether this computer is ok to run on, but that computer isn't.

It eventually boils down to you having something nobody else has. This can be a serial number you've paid for, a hardware dongle or a dvd with physical errors in a certain location on it. The software then looks for that specific thing, and refuse to run if it isn't there. For serial numbers you also need to have a location on the internet where the software can validate that the serial number is acceptable to the mother ship.

Unfortunately hackers are very good at surgically remove such checks, so the code needs to be very convoluted and hard to modify to make it difficult, but with sufficient dedication a human still can do it.

Hence, most inexpensive software products go for the serial number with a mothership on the internet validating it, plus a license policy that the coorporate cashcows are obliged to follow. The expensive products usually use dongle protection.

All the answers seem to be technical, but it is not a technical problem, it is social.

Software is easy to copy and hard to write. If it where not easy to copy we would not bother. Most programs are just to expencive to write as one offs, and the smaller ones rely on bigger programs to be able to run. If we also make programs difficalt to copy, then we are putting our selfs at a competative disadvantage. Yes you can maximise short term profit by discoraging copying. But in the end you will lose market share to who ever can minimies cost-to-copy, cost-to-write and cost-to-use.

Free Software minimises 1 of these costs cost-to-copy, and has a masive reduction on the other 2 cost-to-write and cost-to-use.

cost-to-copy

I can install Ubuntu linux in about the same time and effort as windows 7 [windows 7 needs me to additionaly add a licence key making it slightly more difficult].

Windows 7 will cost £100, but for Ubuntu I can download it, buy it for £6 at the magazine store (with a free magazine thrown in), £2 mail order or borrow a cd from a friend.

cost-to-write

Free Software can be modified, this reduces the cost. I don't have to start from the begining.

cost-to-use

With Windows 7 I get no applications, except a web browser, with Ubuntu I get every application I can immagine, lots install with the OS.

I don't need a virus scanner on Linux.

I can run Linux on older hardware.

With Free Software, no one is forcing be to upgrage, by making incompatible versions of there office tools.

When you take the example of windows 7, it's obvious that the answer is no, simply because the PC architecture and PC programming is very well known.

But if you consider other hardwares, like the PS3, the PSP and the iPhone, it's utterly different, mainly because the manufacturer has the control over everything, no just the software anymore: they can make the hardware run only genuine software, and this requires good hacking skills to break those.

You should take a look at the microsoft longhorn project back in the day: at the time they wanted to implements chips to check wether your software were genuine or not. Theorically it would have been very difficult to hack, but they didn't do it because it would have been very intrusive.

The PS3 was cracked only months after Sony's removal of OtherOS made it worthwhile. The iPhone is routinely cracked. The quality of hacking skills really doesn't matter, since if one person can crack something, the technique spreads across the net.
–
David ThornleyFeb 11 '11 at 15:58